Crypto Stealing : Clip Bankers on the go – K7 Labs

Go code related malwares are getting pretty common day by day because of multiple reasons like easy to code, a single codebase which can be used to generate samples for multiple OSes, difficult to reverse engineer, etc. We came across a campaign recently where attackers used Go based clip bankers to steal crypto on the go using a Telegram bot . We saw multiple variants of similar kinds of clip bankers where code has been modified frequently with the base functionality remaining the same. We are going to talk about such clip bankers in this blog in detail.

Let’s analyse the samples now. The malware first creates a mutex to avoid running the sample again in the same machine and then gets the path of the APPDATA folder on the machine to create a directory inside the Roaming folder so as to copy the malware there with random name and hidden file attributes. Some samples copy malware directly inside the startup folder.

Figure 1: Creating Mutex and getting %Appdata% folder path
Figure 2: Other variants copying samples in startup folder

After copying malware, a CurrentVersionRun registry is created to run the sample automatically on startup.

Figure 3: Malware creating Run Entry

After executing from the new location, the malware continues execution if and only if it establishes connection to the Telegram bot with the token in the API for authentication.

Figure 4: Authenticating the telegram bot
Figure 5: Telegram bot Api from one of the samples

After getting response code 200 from the bot, the malware first gets the unique Machine ID of the system using registry key SOFTWAREMicrosoftCryptography to uniquely identify the victim and  then reads all the clipboard content of the victim. This is implemented using a Go based open source module from github.

Figure 6: Reading clipboard content
Figure 7: Legitimate Github Library used to implement clipboard related functions

After reading all the content from clipboard, the malware parses through the content and tries to figure out if the content has crypto wallet addresses by using regular expressions so that it can replace the address with the attackers’ crypto wallet address. Only the crypto wallet address is changed with all the other content remaining the same and this modified content is again written to the victims’ clipboard.

Figure 8: Content being written to clipboard again after modification
Figure 9: One of the Bitcoin wallet address recovered from malware

Then the malware sends victims information to the attacker to keep track of the victims using Telegram bot and the malware forms a message which consists of IP Address,location of malware, MachineId,victim’s clipboard content ,Username, etc.

Figure 10: Sending all the information to telegram bot using particular chat id
Figure 11: Content being posted to the same bot using particular chat id

As we can see, creating malware has become so easy because of easy availability of ready to use code. Protecting yourself by investing in a reputable security product such as K7 Antivirus is therefore necessary in today’s world. We at K7 Labs provide detection for clip bankers like these and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

IOCs

Hash Detection Name
7819e8b66bbd678d9898a39630c5cb94e1d63b3ffe46b7cf0e9d4477e7ebc9a8  Trojan ( 005a7a4e1 )
cf58ff751bc10914fca398a2f609114dd24005ac2307435de084488bed63a0a1  Trojan ( 005a7a4e1 )
88fb5c53b84be0f6920e6cb02572d32fe23312e32d2a003a3a0c30f6583e4525  Trojan ( 005a7a4e1 )

Telegram bots

https://api[.]telegram.org/bot6196834985:AAGnbCo052bvVJwExx3QNxYfeNlJP_ULQWo/getMe https://api[.]telegram.org/bot6178300689:AAE_Khw1mc6SGGUGoqaAkA7LhctwrtjGxXo/getMe https://api[.]telegram.org/bot6240158659:AAHW9JcpmR7UEn0cDKvOUiiAVaj-hdcWzgU/getMe

Bitcoin Wallet Addresses

Bc1q8jgyp7qs6j9lstr7em94q4l8rvl7szjnzhtywq

Bc1qjddsfqk3hvlr86xgtkazswtux4w8acpqm9mrle

qphmukvwzu4s07ku34zhpz646lgt6ayulug2vn24q4

Source: Original Post


“An interesting youtube video that may be related to the article above”